Merge branch '2.7' into 2.8

* 2.7: [Security\Http] detect bad redirect targets using backslashes [Form] Filter file uploads out of regular form types Fix CI minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas) [travis] fix composer.lock invalidation for PRs patching several components [travis] fix composer.lock invalidation for deps=low minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas) [travis] ignore ordering when validating composer.lock files for deps=low minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas) fix ci [travis] fix requiring mongodb/mongodb before composer up minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas) [2.7] Make CI green updated VERSION for 2.7.49 updated CHANGELOG for 2.7.49 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer [HttpFoundation] Remove support for legacy and risky HTTP headers updated VERSION for 2.7.48 update CONTRIBUTORS for 2.7.48 updated CHANGELOG for 2.7.48
2018-12-06 11:12:46 +00:00 · 2018-12-06 11:12:46 +00:00 · 410ed830c5
parent 6d1b296403 f27dd4b5be
commit 410ed830c5
7 changed files with 57 additions and 4 deletions
--- a/CHANGELOG-2.7.md
+++ b/CHANGELOG-2.7.md
@ -7,6 +7,19 @@ in 2.7 minor versions.
 To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
 To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.7.0...v2.7.1

+* 2.7.49 (2018-08-01)
+
+ * security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)
+ * security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)
+
+* 2.7.48 (2018-05-25)
+
+ * bug #27359 [HttpFoundation] Fix perf issue during MimeTypeGuesser intialization (nicolas-grekas)
+ * security #cve-2018-11408 [SecurityBundle] Fail if security.http_utils cannot be configured
+ * security #cve-2018-11406 clear CSRF tokens when the user is logged out
+ * security #cve-2018-11385 Adding session strategy to ALL listeners to avoid *any* possible fixation
+ * security #cve-2018-11386 [HttpFoundation] Break infinite loop in PdoSessionHandler when MySQL is in loose mode
+
 * 2.7.47 (2018-05-21)

 * bug #26781 [Form] Fix precision of MoneyToLocalizedStringTransformer's divisions on transform() (syastrebov)
--- a/src/Symfony/Component/Form/Extension/Core/Type/FileType.php
+++ b/src/Symfony/Component/Form/Extension/Core/Type/FileType.php
@ -105,6 +105,7 @@ class FileType extends AbstractType
            'data_class' => $dataClass,
            'empty_data' => $emptyData,
            'multiple' => false,
+            'allow_file_upload' => true,
        ));
    }

--- a/src/Symfony/Component/Form/Extension/Core/Type/FormType.php
+++ b/src/Symfony/Component/Form/Extension/Core/Type/FormType.php
@ -231,6 +231,7 @@ class FormType extends BaseType
            'attr' => $defaultAttr,
            'post_max_size_message' => 'The uploaded file was too large. Please try to upload a smaller file.',
            'upload_max_size_message' => $uploadMaxSizeMessage, // internal
+            'allow_file_upload' => false,
        ));

        $resolver->setNormalizer('attr', $attrNormalizer);
--- a/src/Symfony/Component/Form/Form.php
+++ b/src/Symfony/Component/Form/Form.php
@ -537,6 +537,11 @@ class Form implements \IteratorAggregate, FormInterface
            $submittedData = null;
        } elseif (is_scalar($submittedData)) {
            $submittedData = (string) $submittedData;
+        } elseif ($this->config->getOption('allow_file_upload')) {
+            // no-op
+        } elseif ($this->config->getRequestHandler()->isFileUpload($submittedData)) {
+            $submittedData = null;
+            $this->transformationFailure = new TransformationFailedException('Submitted data was expected to be text or number, file upload given.');
        }

        $dispatcher = $this->config->getEventDispatcher();
@ -546,6 +551,10 @@ class Form implements \IteratorAggregate, FormInterface
        $viewData = null;

        try {
+            if (null !== $this->transformationFailure) {
+                throw $this->transformationFailure;
+            }
+
            // Hook to change content of the data submitted by the browser
            if ($dispatcher->hasListeners(FormEvents::PRE_SUBMIT)) {
                $event = new FormEvent($this, $submittedData);
--- a/src/Symfony/Component/Form/Tests/CompoundFormTest.php
+++ b/src/Symfony/Component/Form/Tests/CompoundFormTest.php
@ -712,7 +712,7 @@ class CompoundFormTest extends AbstractFormTest
            'REQUEST_METHOD' => $method,
        ));

-        $form = $this->getBuilder('image')
+        $form = $this->getBuilder('image', null, null, array('allow_file_upload' => true))
            ->setMethod($method)
            ->setRequestHandler(new HttpFoundationRequestHandler())
            ->getForm();
@ -1088,6 +1088,21 @@ class CompoundFormTest extends AbstractFormTest
        $this->assertFalse($submit->isSubmitted());
    }

+    public function testFileUpload()
+    {
+        $reqHandler = new HttpFoundationRequestHandler();
+        $this->form->add($this->getBuilder('foo')->setRequestHandler($reqHandler)->getForm());
+        $this->form->add($this->getBuilder('bar')->setRequestHandler($reqHandler)->getForm());
+
+        $this->form->submit(array(
+            'foo' => 'Foo',
+            'bar' => new UploadedFile(__FILE__, 'upload.png', 'image/png', 123, UPLOAD_ERR_OK),
+        ));
+
+        $this->assertSame('Submitted data was expected to be text or number, file upload given.', $this->form->get('bar')->getTransformationFailure()->getMessage());
+        $this->assertNull($this->form->get('bar')->getData());
+    }
+
    protected function createForm()
    {
        return $this->getBuilder()
--- a/src/Symfony/Component/Security/Http/HttpUtils.php
+++ b/src/Symfony/Component/Security/Http/HttpUtils.php
@ -59,7 +59,7 @@ class HttpUtils
     */
    public function createRedirectResponse(Request $request, $path, $status = 302)
    {
-        if (null !== $this->domainRegexp && preg_match('#^https?://[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
+        if (null !== $this->domainRegexp && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) {
            $path = '/';
        }

--- a/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php
@ -54,14 +54,28 @@ class HttpUtilsTest extends TestCase
        $this->assertTrue($response->isRedirect('http://localhost/blog'));
    }

-    public function testCreateRedirectResponseWithBadRequestsDomain()
+    /**
+     * @dataProvider badRequestDomainUrls
+     */
+    public function testCreateRedirectResponseWithBadRequestsDomain($url)
    {
        $utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');
-        $response = $utils->createRedirectResponse($this->getRequest(), 'http://pirate.net/foo');
+        $response = $utils->createRedirectResponse($this->getRequest(), $url);

        $this->assertTrue($response->isRedirect('http://localhost/'));
    }

+    public function badRequestDomainUrls()
+    {
+        return array(
+            array('http://pirate.net/foo'),
+            array('http:\\\\pirate.net/foo'),
+            array('http:/\\pirate.net/foo'),
+            array('http:\\/pirate.net/foo'),
+            array('http://////pirate.net/foo'),
+        );
+    }
+
    public function testCreateRedirectResponseWithProtocolRelativeTarget()
    {
        $utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');